Conventionally, most security products such as firewalls, Virtual Private Networks (VPNs), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), etc. protect corporate servers from threats coming from the Internet. Newer threats infect end users, i.e. who are accessing Internet resources, via bots, phishing and malicious active content, viruses, spyware, etc. all of which subsequently infect corporate networks. Corporations, service providers, enterprises, etc. have done very little to inspect user-initiated traffic and protect their users and networks therefrom. An enterprise, for example, may implement security measures by use of a layered security system. Such a layered security system may be implemented at the network edge of the enterprise, e.g., firewalls, gateway security agents, etc. Additionally, a layered security system may also include security processes and agents that are implemented throughout the enterprises, e.g., virus scanning software on each computer within the enterprise, content filtering software, content monitoring software, etc. However, layered security systems are prone to processing inefficiencies and may require many resources within the enterprise to maintain the systems. For example, an enterprise may have a multi-layered security system deployed within its network. A file received on the enterprise's computers may be processed by a content filtering system, an intrusion detection system and pass through the enterprise's firewall to each computer that receives the file. Furthermore, each computer may include virus scanning software that may scan the file when it is received. Thus, regardless of the file integrity, each file may potentially be inspected multiple times by multiple processes, causing processing delays. Thus, while the objective of protecting the enterprise is met, it is nevertheless met in a relatively inefficient manner.
Additionally, many of these layered defenses operate independently and do not provide feedback to different security layers. For example, the virus scanning software the enterprise uses may not be able to communicate with the enterprise's firewall. Thus the firewall may continue to pass the infected file, and each computer that receives the infected file will expend resources performing security operations, and each user of those computers will likewise spend time to perform manual remedial actions in response to the security threat. Many layered security systems do not implement a distribution infrastructure to communicate and share content intelligence. This results in repeated processing of both good and bad content. For example, information related to a virus outbreak detected in an enterprise location cannot be readily propagated to a central office or other branches of the enterprise; uniform resource locators (URLs) found to include malicious software (“malware”) or objectionable content cannot be readily propagated to a central office or other branches of the enterprises, etc. Many layered security systems also cannot readily maintain a central data store of threat data that classifies content items such as files, URLs, e-mails according to security classifications (e.g. virus, malware, spam mail, etc.).
Phishing is the fraudulent process of attempting to acquire sensitive information from computer users such as usernames, passwords, payment detail, personal identification information, etc. by masquerading as a trustworthy entity in an electronic communication. For example, communications purporting to be from popular social web sites, auction sites, online payment processors, banks or other financial institutions, etc. are commonly used to lure unsuspecting users. Phishing is typically carried out by e-mail, instant messaging, etc., and it often directs users to enter details at a fake website whose look and feel are almost identical to a legitimate one. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. For example, emails, supposedly from the Internal Revenue Service, have been used to glean sensitive data from U.S. taxpayers. Most methods of phishing use some form of technical deception designed to make a link appear to belong to the spoofed organization. Misspelled URLs or the use of subdomains are common tricks used by phishers. In the following example URL, www.yourbank.example.com/, it appears as though the URL will take you to the example section of the yourbank website; actually this URL points to the “yourbank” (i.e. phishing) section of the example website. Another common trick is to make the displayed text for a link (the text between the <A> tags) suggest a reliable destination, when the link actually goes to a phishers' site.